Choice and Chance: A Conceptual Model of Paths to Information Security Compromise

Sam Ransbotham
Sam Ransbotham
[email protected]
Carroll School of Management, Boston College, Chestnut Hill, Massachusetts 02467
Search for more papers by this author
,
Sabyasachi Mitra
Sabyasachi Mitra
[email protected]
College of Management, Georgia Institute of Technology, Atlanta, Georgia 30308
Search for more papers by this author

Sam Ransbotham

[email protected]

Carroll School of Management, Boston College, Chestnut Hill, Massachusetts 02467

Search for more papers by this author

Sabyasachi Mitra

[email protected]

College of Management, Georgia Institute of Technology, Atlanta, Georgia 30308

Search for more papers by this author

Published Online:1 Mar 2009https://doi.org/10.1287/isre.1080.0174

Abstract

No longer the exclusive domain of technology experts, information security is now a management issue. Through a grounded approach using interviews, observations, and secondary data, we advance a model of the information security compromise process from the perspective of the attacked organization. We distinguish between deliberate and opportunistic paths of compromise through the Internet, labeled choice and chance, and include the role of countermeasures, the Internet presence of the firm, and the attractiveness of the firm for information security compromise. Further, using one year of alert data from intrusion detection devices, we find empirical support for the key contributions of the model. We discuss the implications of the model for the emerging research stream on information security in the information systems literature.

Cited by
- An integrated framework for information security risk management: A mixed-methods systematic literature review
  Computers & Security, Vol. 168
- A review of cybercrime research: Synthesis and future directions
  Information & Management, Vol. 63, No. 5
- Cybersecurity research from a management perspective: A systematic literature review and future research agenda
  6 September 2023 | Journal of General Management, Vol. 51, No. 3
- Cyber Insurance Adoption at Individual Level: A Mixed Method Study
  19 March 2026 | Information Systems Frontiers, Vol. 13
- Transforming knowledge-sharing intentions into behaviour: the role of ambidextrous knowledge-sharing activities on mobile platforms
  18 September 2024 | Knowledge Management Research & Practice, Vol. 24, No. 2
- A Model of Information Security and Competition
  Alexandre de Cornière,
  Greg Taylor
  29 October 2024 | Marketing Science, Vol. 45, No. 2
- “Extortionality” in Ransomware Attacks: A Microeconomic Study of Extortion and Externality
  Debabrata Dey,
  Atanu Lahiri
  2 May 2025 | Information Systems Research, Vol. 37, No. 1
- Protecting data intangibly: How does control culture influence data breach risks?
  16 September 2025 | Decision Sciences, Vol. 57, No. 1
- Industry sector matters: mapping industry-specific cyber vulnerabilities through rational choice theory analysis
  14 January 2026 | Information & Computer Security, Vol. 94
- Journal of Accounting and Management Information Systems, Vol. 24, No. 4
- CEO gender and cybersecurity: The role of female CEOs in mitigating data breach risks
  International Journal of Accounting Information Systems, Vol. 56
- What Drives AIGC Product Users to Keep Coming Back? Unveiling the Key Factors Behind Continuance Intention
  12 March 2025 | International Journal of Human–Computer Interaction, Vol. 41, No. 20
- From cyber benign to cyber malicious: unveiling the evolution of insider cyber maliciousness from a stage theory perspective
  7 October 2024 | European Journal of Information Systems, Vol. 34, No. 4
- Risk of Cyberattacks Arising from Strategic Alliances with Big Tech
  24 August 2025 | Journal of Management Information Systems, Vol. 42, No. 3
- Regulating Information and Network Security: Review and Challenges
  24 January 2025 | ACM Computing Surveys, Vol. 57, No. 5
- Conceptual inconsistencies in variable definitions and measurement items within ISP non-/compliance research: A systematic literature review
  Computers & Security, Vol. 152
- Exposure of software vulnerabilities on Twitter: Analyzing vendors’ behavior of releasing software patches
  Computers & Security, Vol. 151
- Cyber-Versicherungsnachfrage im KMU-Bereich
  1 April 2025 | Zeitschrift für die gesamte Versicherungswissenschaft, Vol. 114, No. 2
- Adversarial knowledge-sharing in a coopetitive environment: a darknet hacker context
  22 January 2024 | European Journal of Information Systems, Vol. 34, No. 1
- The role of information technologies in modern corporate security
  Megatrend revija, Vol. 22, No. 1
- The whole of cyber defense: Syncing practice and theory
  The Journal of Strategic Information Systems, Vol. 33, No. 4
- A roadmap to achieving a healthier information ecosystem through GDPR implementation and privacy compliance technologies
  28 February 2024 | Journal of the Association for Information Science and Technology, Vol. 75, No. 10
- Operational shock: A method for estimating cyber security incident costs for large Australian healthcare providers
  26 December 2023 | Journal of Cyber Security Technology, Vol. 8, No. 4
- Does Sharing Make My Data More Insecure? An Empirical Study on Health Information Exchange and Data Breaches
  1 September 2024 | MIS Quarterly, Vol. 48, No. 3
- Information Security Research in the Information Systems Discipline: A Thematic Review and Future Research Directions
  31 July 2024 | ACM SIGMIS Database: the DATABASE for Advances in Information Systems, Vol. 55, No. 3
- Securing the Future
- How TalkTalk did the walk-walk: strategic reputational repair in a cyber-attack
  26 May 2023 | Information Technology & People, Vol. 37, No. 4
- Information Security Maturity Model for Healthcare Organizations in the United States
  IEEE Transactions on Engineering Management, Vol. 71
- Chief Information Officers (CIOs) Joining Outside Boards of Directors: Impact on Their Home Firms’ Cybersecurity
  1 January 2024 | SSRN Electronic Journal, Vol. 41
- An Empirical Study on Core Data Asset Identification in Data Governance
  7 October 2023 | Big Data and Cognitive Computing, Vol. 7, No. 4
- CAN CYBER RISK OF HEALTH CARE FIRMS BE INSURED? A MULTINOMIAL LOGISTIC REGRESSION MODEL
  10 August 2023 | Journal of Organizational Computing and Electronic Commerce, Vol. 33, No. 1-2
- Computer crime motives: Do we have it right?
  18 February 2023 | Sociology Compass, Vol. 17, No. 4
- Where is IT in Information Security? The Interrelationship among IT Investment, Security Awareness, and Data Breaches
  1 March 2023 | MIS Quarterly, Vol. 47, No. 1
- Toward enhancing the information base on costs of cyber incidents: implications from literature and a large-scale survey conducted in Germany
  31 May 2022 | Organizational Cybersecurity Journal: Practice, Process and People, Vol. 2, No. 2
- Adoption of enterprise mobile systems – An alternative theoretical perspective
  International Journal of Information Management, Vol. 67
- Organized Cyber-Racketeering: Exploring the Role of Internet Technology in Organized Cybercrime Syndicates Using a Grounded Theory Approach
  IEEE Transactions on Engineering Management, Vol. 69, No. 6
- Linking Cybersecurity and Accounting: An Event, Impact, Response Framework
  1 November 2021 | Accounting Horizons, Vol. 36, No. 4
- The Work‐Averse Cyberattacker Model: Theory and Evidence from Two Million Attack Signatures
  7 May 2021 | Risk Analysis, Vol. 42, No. 8
- Threshold effects of ICT access and usage in Burkinabe and Ghanaian households
  30 August 2021 | Information Technology for Development, Vol. 28, No. 3
- Antecedents and consequences of data breaches: A systematic review
  Information & Management, Vol. 59, No. 4
- US Cybersecurity Laws and Regulations
- Data breach recovery areas: an exploration of organization's recovery strategies for surviving data breaches
  9 November 2021 | Organizational Cybersecurity Journal: Practice, Process and People, Vol. 2, No. 1
- Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement
  Debabrata Dey,
  Abhijeet Ghoshal,
  Atanu Lahiri
  11 August 2021 | Management Science, Vol. 68, No. 4
- Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government
  The Journal of Strategic Information Systems, Vol. 31, No. 1
- Detection time of data breaches
  Computers & Security, Vol. 112
- Strategic Data Access Management
  SSRN Electronic Journal, Vol. 7
- A Model of Human Factors in Cyber Security
- Informing cybersecurity strategic commitment through top management perceptions: The role of institutional pressures
  Information & Management, Vol. 58, No. 7
- The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites
  Ahmed Abbasi,
  David Dobolyi,
  Anthony Vance,
  Fatemeh Mariam Zahedi
  15 February 2021 | Information Systems Research, Vol. 32, No. 2
- The Impact of Executives’ IT Expertise on Reported Data Security Breaches
  Jacob Haislip,
  Jee-Hae Lim,
  Robert Pinsker
  11 March 2021 | Information Systems Research, Vol. 32, No. 2
- Decision support model for cybersecurity risk planning: A two-stage stochastic programming framework featuring firms, government, and attacker
  European Journal of Operational Research, Vol. 291, No. 1
- The Roles of IT Strategies and Security Investments in Reducing Organizational Security Breaches
  2 April 2021 | Journal of Management Information Systems, Vol. 38, No. 1
- Identifying the Effect of Data Breach Publicity on Information Security Awareness Using Hierarchical Regression
  IEEE Access, Vol. 9
- Too Good to Be True: Firm Social Performance and the Risk of Data Breach
  John D’Arcy,
  Idris Adjerid,
  Corey M. Angst,
  Ante Glavas
  18 September 2020 | Information Systems Research, Vol. 31, No. 4
- Corporate Strategy Changes and Information Technology Control Effectiveness in Multibusiness Firms
  1 December 2020 | MIS Quarterly, Vol. 44, No. 4
- An Experimental Approach for Estimating Cyber Risk: a Proposal Building upon Cyber Ranges and Capture the Flags
- Are You a Favorite Target For Cryptojacking? A Case-Control Study On The Cryptojacking Ecosystem
- Impacts of Sustainable Information Technology Capabilities on Information Security Assimilation: The Moderating Effects of Policy—Technology Balance
  30 July 2020 | Sustainability, Vol. 12, No. 15
- Centralized IT Decision Making and Cybersecurity Breaches: Evidence from U.S. Higher Education Institutions
  18 November 2020 | Journal of Management Information Systems, Vol. 37, No. 3
- A Model for Improving Information Protection Service Cost Estimates: Focused on Public Institutions in Korea
  Journal of Computational and Theoretical Nanoscience, Vol. 17, No. 7
- Understanding diffusion of information systems-based services: evidence from mobile banking services
  5 May 2020 | Internet Research, Vol. 30, No. 4
- Organizational Adoption of Information Security Solutions
  18 May 2020 | ACM SIGMIS Database: the DATABASE for Advances in Information Systems, Vol. 51, No. 2
- A comprehensive model of information security factors for decision-makers
  Computers & Security, Vol. 92
- A review and theoretical explanation of the ‘Cyberthreat-Intelligence (CTI) capability’ that needs to be fostered in information security practitioners and how this can be accomplished
  Computers & Security, Vol. 92
- Determinants of Cybercrime Originating within a Nation: A Cross-country Study
  20 April 2020 | Journal of Global Information Technology Management, Vol. 23, No. 2
- How does information technology-based service degradation influence consumers’ use of services? An information technology-based service degradation decision theory
  21 June 2019 | Journal of Information Technology, Vol. 35, No. 1
- Are External Auditors Concerned about Cyber Incidents? Evidence from Audit Fees
  12 March 2020 | Auditing: A Journal of Practice & Theory, Vol. 39, No. 1
- Where is IT in Information Security? The Interrelationship between IT Investment, Security Awareness, and Data Breaches
  SSRN Electronic Journal, Vol. 41
- Informing, simulating experience, or both: A field experiment on phishing risks
  18 December 2019 | PLOS ONE, Vol. 14, No. 12
- How Do EHRs and a Meaningful Use Initiative Affect Breaches of Patient Information?
  Seung Hyun Kim,
  Juhee Kwon
  19 July 2019 | Information Systems Research, Vol. 30, No. 4
- An Integrative Theory Addressing Cyberharassment in the Light of Technology-Based Opportunism
  9 October 2019 | Journal of Management Information Systems, Vol. 36, No. 4
- Abductive innovations in information security policy development: an ethnographic study
  16 June 2019 | European Journal of Information Systems, Vol. 28, No. 5
- Do Nonprofessional Investors Care About How and When Data Breaches are Disclosed?
  1 March 2019 | Journal of Information Systems, Vol. 33, No. 3
- When Private Information Settles the Bill: Money and Privacy in Google’s Market for Smartphone Applications
  Michael Kummer,
  Patrick Schulte
  23 April 2019 | Management Science, Vol. 65, No. 8
- Enterprise security investment through time when facing different types of vulnerabilities
  17 March 2017 | Information Systems Frontiers, Vol. 21, No. 2
- Understanding the role of technology attractiveness in promoting social commerce engagement: Moderating effect of personal interest
  Information & Management, Vol. 56, No. 2
- Demographic Factors in Cyber Security: An Empirical Study
  14 August 2019
- A Fundamental Approach to Cyber Risk Analysis
  1 January 2019 | Variance, Vol. 12, No. 2
- Automatic Prevention of Buffer Overflow Vulnerability Using Candidate Code Generation
  IEICE Transactions on Information and Systems, Vol. E101.D, No. 12
- The influence of a good relationship between the internal audit and information security functions on information security outcomes
  Accounting, Organizations and Society, Vol. 71
- Herausforderungen und Implikationen für das Cyber-Risikomanagement sowie die Versicherung von Cyberrisiken – Eine empirische Analyse
  3 January 2019 | Zeitschrift für die gesamte Versicherungswissenschaft, Vol. 107, No. 4
- Impact of employees’ demographic characteristics on the awareness and compliance of information security policy in organizations
  Telematics and Informatics, Vol. 35, No. 6
- Integrating Behavioural Security Factors for Enhanced Protection of Organisational Information Technology Assets
- Developing an Information Security Risk Taxonomy and an Assessment Model using Fuzzy Petri Nets
  Journal of Cases on Information Technology, Vol. 20, No. 3
- Strategic value alignment for information security management: a critical success factor analysis
  Information & Computer Security, Vol. 26, No. 2
- Investigating Knowledge Flows between Information Systems and Other Disciplines:
  25 May 2018 | ACM SIGMIS Database: the DATABASE for Advances in Information Systems, Vol. 49, No. 2
- Three Essays on Information Security Risk Management
- Proactivity and Retroactivity of Firms and Information Sharing of Hackers
  25 March 2018 | International Game Theory Review, Vol. 20, No. 01
- Integration of Information Systems and Cybersecurity Countermeasures
  1 February 2018 | ACM SIGMIS Database: the DATABASE for Advances in Information Systems, Vol. 49, No. 1
- Understanding organisational responses to regulative pressures in information security management: The case of a Chinese hospital
  Technological Forecasting and Social Change, Vol. 126
- Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement
  SSRN Electronic Journal, Vol. 19
- Drawing a Line in the Sand: Commitment Problem in Ending Software Support1
  1 December 2017 | MIS Quarterly, Vol. 41, No. 4
- Why security and privacy research lies at the centre of the information systems (IS) artefact: proposing a bold research agenda
  15 February 2018 | European Journal of Information Systems, Vol. 26, No. 6
- Trust or consequences? Causal effects of perceived risk and subjective norms on cloud technology adoption
  Computers & Security, Vol. 70
- Security Events and Vulnerability Data for Cybersecurity Risk Estimation
  11 August 2017 | Risk Analysis, Vol. 37, No. 8
- Winning the SDG battle in cities: how an integrated information ecosystem can contribute to the achievement of the 2030 sustainable development goals
  27 January 2017 | Information Systems Journal, Vol. 27, No. 4
- Exploring Organizational Culture for Information Security in Healthcare Organizations: A Literature Review
- Characterizing and Modeling Patching Practices of Industrial Control Systems
  13 June 2017 | Proceedings of the ACM on Measurement and Analysis of Computing Systems, Vol. 1, No. 1
- The information ethics perception gaps between Chinese and American students
  Information Technology & People, Vol. 30, No. 2
- Information Sharing Among Cyber Hackers in Successive Attacks
  2 May 2017 | International Game Theory Review, Vol. 19, No. 02
- Cybercrime Deterrence and International Legislation: Evidence from Distributed Denial of Service Attacks1
  1 June 2017 | MIS Quarterly, Vol. 41, No. 2
- Security Investment, Hacking, and Information Sharing between Firms and between Hackers
  25 May 2017 | Games, Vol. 8, No. 2
- ICT adoption in Cameroon SME: application of Bass diffusion model
  6 April 2017 | Information Technology for Development, Vol. 23, No. 2
- Impact of personal data protection (PDP) regulations on operations workflow
  Human Systems Management, Vol. 36, No. 1
- Information systems security policy implementation in practice: from best practices to situated practices
  19 December 2017 | European Journal of Information Systems, Vol. 26, No. 1
- The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures
  SSRN Electronic Journal, Vol. 4
- Security Breaches in the U.S. Federal Government
  SSRN Electronic Journal, Vol. 22
- When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security
  Yonghua Ji,
  Subodha Kumar,
  Vijay Mookerjee
  29 November 2016 | Information Systems Research, Vol. 27, No. 4
- Managing Enterprise Risks of Technological Systems: An Exploratory Empirical Analysis of Vulnerability Characteristics as Drivers of Exploit Publication*
  8 January 2016 | Decision Sciences, Vol. 47, No. 6
- A multifaceted evaluation of the reference model of information assurance & security
  Computers & Security, Vol. 63
- Managing security risks for inter-organisational information systems: a multiagent collaborative model
  17 December 2014 | Enterprise Information Systems, Vol. 10, No. 7
- A differential game approach to security investment and information sharing in a competitive environment
  13 January 2016 | IIE Transactions, Vol. 48, No. 6
- SECURQUAL: An Instrument for Evaluating the Effectiveness of Enterprise Information Security Programs
  1 August 2015 | Journal of Information Systems, Vol. 30, No. 1
- Using Grounded Theory Method in Information Systems: The Researcher as Blank Slate and Other Myths
- When Private Information Settles the Bill: Money and Privacy in Google's Market for Smartphone Applications
  SSRN Electronic Journal, Vol. 24
- IT Governance, Security Outsourcing, and Cybersecurity Breaches: Evidence from the U.S. Higher Education
  SSRN Electronic Journal, Vol. 2
- A Study on Categorization of Accident Pattern for Organization’s Information Security Strategy Establish
  Journal of Society of Korea Industrial and Systems Engineering, Vol. 38, No. 4
- Information security investment for competitive firms with hacker behavior and security requirements
  19 June 2015 | Annals of Operations Research, Vol. 235, No. 1
- Information Disclosure and the Diffusion of Information Security Attacks
  Sabyasachi Mitra,
  Sam Ransbotham
  18 August 2015 | Information Systems Research, Vol. 26, No. 3
- Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies
  8 July 2014 | Information Systems Journal, Vol. 25, No. 5
- Explore Awareness of Information Security: Insights from Cognitive Neuromechanism
  Computational Intelligence and Neuroscience, Vol. 2015
- The Influence of Internal Audit on Information System Effectiveness: Perceptions of Internal Auditors
  SSRN Electronic Journal, Vol. 11
- A game-theoretic analysis of information sharing and security investment for complementary firms
  21 December 2017 | Journal of the Operational Research Society, Vol. 65, No. 11
- A qualitative analysis of an ontology based issue resolution system for cyber attack management
- Quality Competition and Market Segmentation in the Security Software Market1
  1 June 2014 | MIS Quarterly, Vol. 38, No. 2
- Is Your Banker Leaking Your Personal Information? The Roles of Ethics and Individual-Level Cultural Characteristics in Predicting Organizational Computer Abuse
  25 April 2013 | Journal of Business Ethics, Vol. 121, No. 3
- Systematic Elaboration of Compliance Requirements Using Compliance Debt and Portfolio Theory
- A Cooperative Model for IS Security Risk Management in Distributed Environment
  The Scientific World Journal, Vol. 2014
- Information Security Professionals' Perceptions about the Relationship between the Information Security and Internal Audit Functions
  1 May 2013 | Journal of Information Systems, Vol. 27, No. 2
- Understanding computer security behavioral intention in the workplace
  Information Technology & People, Vol. 26, No. 4
- Internet marketing: a content analysis of the research
  31 January 2013 | Electronic Markets, Vol. 23, No. 3
- Using Grounded Theory Method in Information Systems: The Researcher as Blank Slate and Other Myths
  1 September 2013 | Journal of Information Technology, Vol. 28, No. 3
- A Reference Model of Information Assurance & Security
- The Impact of Immediate Disclosure on Attack Diffusion and Volume
  27 July 2012
- Quality Competition in the Security Software Market
- Spam and Botnet Reputation Randomized Control Trials and Policy
  SSRN Electronic Journal, Vol. 7
- Preserving Opportunities in Internet Research: A Commentary on ‘Studying Cyborgs’
  1 December 2012 | Journal of Information Technology, Vol. 27, No. 4
- Hacker Behavior, Network Effects, and the Security Software Market
  8 December 2014 | Journal of Management Information Systems, Vol. 29, No. 2
- Institutional Influences on Information Systems Security Innovations
  Carol Hsu,
  Jae-Nam Lee,
  Detmar W. Straub,
  9 January 2012 | Information Systems Research, Vol. 23, No. 3-part-2
- The relationship between internal audit and information security: An exploratory investigation
  International Journal of Accounting Information Systems, Vol. 13, No. 3
- Discussion of “The relationship between internal audit and information security: An exploratory investigation”
  International Journal of Accounting Information Systems, Vol. 13, No. 3
- Patch Release Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical Analysis
  8 December 2014 | Journal of Management Information Systems, Vol. 28, No. 4
- Are Markets For Vulnerabilities Effective?1
  1 March 2012 | MIS Quarterly, Vol. 36, No. 1
- Developing Theories in Information Systems Research: The Grounded Theory Method Applied
  4 August 2011
- A Conceptual Analysis about the Organizational Impact of Compliance on Information Security Policy
- An Integrative Model of Information Security Awareness for Assessing Information Systems Security Risk
- Investigating the Effectiveness of IS Security Countermeasures towards Cyber Attacker Deterrence
- An Empirical Study on Motivational Factors Influencing Information Security Policy Compliance and Security Behavior of End-Users(Employees) in Organizations
  The e-Business Studies, Vol. 12, No. 3
- Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments
  Terrence August,
  Tunay I. Tunca,
  25 March 2011 | Management Science, Vol. 57, No. 5
- Detecting complex account fraud in the enterprise: The role of technical and non-technical controls
  Decision Support Systems, Vol. 50, No. 4
- Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness1
  1 September 2010 | MIS Quarterly, Vol. 34, No. 3

cover image Information Systems Research

Volume 20, Issue 1

March 2009

Pages 1-157

Article Information

Supplemental Material

Metrics

Information

Received:May 10, 2006
Published Online:March 01, 2009

Cite as

Sam Ransbotham, Sabyasachi Mitra, (2009) Choice and Chance: A Conceptual Model of Paths to Information Security Compromise. Information Systems Research 20(1):121-139.

https://doi.org/10.1287/isre.1080.0174

Keywords

PDF download

Available Issues

Available Issues

Available Issues

Available Issues

Available Issues

Choice and Chance: A Conceptual Model of Paths to Information Security Compromise

Abstract

Volume 20, Issue 1

Article Information

Supplemental Material

Metrics

Information

Cite as

Keywords

Sign Up for INFORMS Publications Updates and News